Product Documentation
NetScaler ingress controller
View PDF

Deploy NetScaler Cloud Controller using NetScaler Operator

August 16, 2024
Contributed by: 
C

Introduction

NetScaler Cloud Controller creates and maintains route entries for pod networks in the appropriate Azure route table.

Note:

NetScaler Cloud Controller only creates Azure routes between NetScaler and the Azure Red Hat OpenShift (ARO) cluster that resides in the same resource group.

This section provides information about deploying, configuring, and managing NetScaler Cloud Controller within Azure and ARO environments.

Prerequisites

  1. An active Azure subscription.

    Note down the subscription ID.

  2. An Azure account with sufficient permissions to create and manage resources. You must have access to create resources within the resource group and manage service principals.

  3. Note down the TENANT_ID, CLIENT_ID, and CLIENT_SECRET for your Azure account.

  4. A running ARO cluster in Azure (version 4.11 or later).

  5. The ARO cluster and the subnet to which the route needs to be established must be in the same VNet.

    Note down the following details: Resource Group Name, VNet Name, and Subnet Name and Azure location where the ARO cluster and NetScaler are located.

  6. Create a secret as described in the namespace where you want to deploy NetScaler Cloud Controller.

    oc create secret generic azsecret --from-literal=clientid="<CLIENT_ID>" --from-literal=clientsecret=”<CLIENT_SECRET>” -n <namespace>
<!--NeedCopy-->

  7. Create a service principal and assign a custom role to the service principal. For information, see Create service principal and assign a role.

  8. Verify if any NetScaler Operator version is already deployed in your cluster. If it is, you must deploy NetScaler Operator 3.0.1 using the OpenShift CLI. Otherwise, continue to Steps to deploy NetScaler Cloud Controller instance.

    Note:

    Currently, OpenShift does not permit the deployment of different versions of certified operators within the same cluster using the web console. For detailed information, see this page. Therefore, in cases where NetScaler Operator exists, you must deploy NetScaler Operator 3.0.1 using the OpenShift CLI.

Create a service principal and assign a role

Create a service principal and assign a role to it to set up the authentication details for the NetScaler Cloud Controller to manage Azure resources. There are two scenarios to consider while creating a service principal and assigning a role to it described as the following.

Case I: The subnet on which the routes are to be created is not part of the ARO cluster

Follow the steps to create a service principal with the desired roles or add the roles to an existing service principal.

Note:

If a service principal exists, skip to step 9 to assign a role to the service principal.

  1. Log in to Microsoft Azure Portal.

  2. Go to the App registrations service.

  3. Click New Registration.

    new registration

  4. Enter the details such as name and supported account types.

  5. Click Register to create your service principal.

    Note down the clientID from your service principal details.

    client id

  6. Click Certifications & Secrets in the left pane and click New client secret.

    client secret

  7. Enter a description and choose an expiry.

    client secret details

  8. Note down the secret value. This value is clientSecret.

    client secret value

  9. Go to Resource Group → <Your Resource Group> → Access Control (IAM).

    Select the resource group where the ARO cluster and the VNet exist.

  10. Click Add and select Add custom role.

    add custom role

  11. Add the following custom.JSON sample.

    {
"properties": {
    "roleName": "NetScaler Cloud Controller Role",
    "description": "Allows managing cloud controller role",
    "assignableScopes": [
        "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>"
    ],
    "permissions": [
        {
            "actions": [
                "Microsoft.Network/routeTables/routes/write",
                "Microsoft.Network/routeTables/routes/read",
                "Microsoft.Network/routeTables/routes/delete",
                "Microsoft.Network/routeTables/delete",
                "Microsoft.Network/routeTables/write",
                "Microsoft.Network/routeTables/read",
                "Microsoft.Network/virtualNetworks/subnets/read",
                "Microsoft.Network/virtualNetworks/subnets/write"
            ],
            "notActions": [],
            "dataActions": [],
            "notDataActions": []
        }
    ]
}
}

<!--NeedCopy-->

  12. Modify the custom_role.json file as per your desired settings.

    You must add your Resource Group and Subscription ID in the JSON file.

  13. Select Start from JSON in Baseline Permissions and upload the modified custom_role.json file.

    add custom role

  14. Click Review + Create.

  15. Go to Add role assignment.

    add role assignment

  16. Search for the custom role created in step 14.

  17. Select the role, and press next.

    search custom role

  18. Under Members, select the service principal created in step 5.

    add role assignment

  19. Click Review + Assign.

Case II: The subnet on which the routes are to be created is part of the ARO cluster

In this case, you must have access to the service principal created during the OpenShift installation. The automatically created service principal during the ARO installation has a aro-app- prefix.

  1. Go to Resource Group → <Your Resource Group> where the ARO cluster and the VNet exist. Go to Resource Group → <Your Resource Group> → Access Control (IAM)

  2. Click Add and select Add custom role.

    add custom role

  3. Copy the following in a JSON file named custom_role.json.

    {
"properties": {
    "roleName": "NetScaler Cloud Controller Role",
    "description": "Allows managing cloud controller role",
    "assignableScopes": [
        "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>"
    ],
    "permissions": [
        {
            "actions": [
                "Microsoft.Network/routeTables/routes/write",
                "Microsoft.Network/routeTables/routes/read",
                "Microsoft.Network/routeTables/routes/delete",
                "Microsoft.Network/routeTables/delete",
                "Microsoft.Network/routeTables/write",
                "Microsoft.Network/routeTables/read",
                "Microsoft.Network/virtualNetworks/subnets/read",
                "Microsoft.Network/virtualNetworks/subnets/write"
            ],
            "notActions": [],
            "dataActions": [],
            "notDataActions": []
        }
    ]
}
}

<!--NeedCopy-->

  4. Modify the custom_role.json file as per your desired settings.

    You must add your Resource Group and Subscription ID in the JSON file.

  5. Select Start from JSON in Baseline Permissions and upload the modified custom_role.json file.

    add custom role

  6. Click Review + Create.

  7. Click Add role assignment.

    add role assignment

  8. Search for the custom role created in step 4. Select the role, and click next.

    search custom role

  9. In the Members section, select the service principal that is managing the OpenShift cluster.

    add role assignment

  10. Click Review + Assign.

Steps to deploy NetScaler Cloud Controller instance

  1. Log in to the 4.x OpenShift console.

  2. Navigate to Operators > OperatorHub, select Certified source in the left panel, and then select NetScaler Operator.

  3. Select tech-preview under Channel, select version 3.0.1, and click Install.

    install NetScaler Operator

  4. To subscribe to NetScaler Operator, select one of the following options:

    • All namespaces on the cluster (default): NetScaler Operator is available in all the namespaces on the OpenShift cluster. Hence, this option enables you to start the NetScaler instance from any namespace on the cluster.

    • A specific namespace on the cluster: NetScaler Operator is available in the selected namespace on the OpenShift cluster. Hence, this option enables you to start the NetScaler Operator instance on the selected namespace only.

    installation mode

  5. Click Install.

    Wait until the NetScaler Operator is subscribed successfully.

  6. Navigate to Operators > Installed Operators and select NetScaler Operator.

    Install NetScaler Ingress Controller

  7. Switch to the project where you want to deploy the cloud controller.

  8. Navigate to Operators > Installed Operators and select NetScaler Operator.

  9. Go to NetScaler Operator, click the NetScaler Cloud Controller tab, and then click Create NetScaler Cloud Controller.

    deploy cloud controller

    The YAML for NetScaler Cloud Controller CRD is displayed.

  10. Edit the CRD to add the following values obtained in the prerequisites section.

    metadata:
  name: <NAME>
spec:
  azure:
    image: quay.io/netscaler/netscaler-cloud-controller@sha256:6897df79411bd1b4ddb5195d570f10e01bd3c084772b918112797a346980f4cb
    vnetname: "<VNET_NAME>"
    subnetname: "<SUBNET_NAME>"
    resourcegroupname: "<RESOURCE_GROUP_NAME>"
    location: <LOCATION>
    clientsecret: <AZURE_SECRET>
    tenantid: <TENANT_ID>
    subscriptionid: <SUBSCRIPTION_ID>
<!--NeedCopy-->

    Create cloud controller

    Refer to the following table for the descriptions of the fields in the YAML file.

    Field Description
    <NAME> Name of the controller instance
    <VNET_NAME> Azure VNet name in which the required subnet and the OpenShift Cluster exists
    <SUBNET_NAME> Azure VNet subnet name from where the route is to be established to the ARO cluster. This subnet has to be in the same VNet as the same ARO Cluster
    <LOCATION> Azure location
    <TENANT_ID> Tenant ID of the Azure service principal
    <SUBSCRIPTION_ID> Subscription ID for your Azure account
    <RESOURCE_GROUP_NAME> Resource group name where the VNet exists
    <AZURE_SECRET> Secret name created in the prerequisites section

  11. After updating the values for the required parameters, click Create.

  12. Navigate to the Workloads > Pods section and verify whether the NetScaler Cloud Controller pod is up and running.

After the controller pod is up and running, the required route table with the subnet is created.

Notes:

  • The controller creates a route table and associates it with the given subnet if the route table does not exist. The format of the new table will be <SUBNET_NAME>_<LOCATION>_rt.
  • To avoid conflicts with routes created/updated by the NetScaler Cloud Controller from other automation processes or users, the routes managed by NetScaler Cloud Controller start with the prefix NSCC_, followed by a hash value for tracking. Do not create routes with the same name prefixes to avoid conflicts.

The following roles are installed when NetScaler Cloud Controller is deployed. NetScaler Cloud Controller requires these roles to manage its CRD and get node-specific information.

API Group Resources Verbs
rbac.authorization.k8s.io clusterrolebindings create, delete, get, list, patch, update, watch
rbac.authorization.k8s.io clusterroles create, delete, get, list, patch, update, watch
core nodes All
core serviceaccounts create, delete, get, list, patch, update, watch
apps deployments create, delete, get, list, patch, update, watch
core pods create, delete, get, list, patch, update, watch, serviceaccounts

Deploy NetScaler Operator 3.0.1 using the OpenShift CLI

This procedure describes how to deploy NetScaler Operator 3.0.1 when you already have a different NetScaler Operator version installed in the cluster.

Note:

Installation of operands using the GUI is not possible.

  1. Create a namespace and switch to that namespace.

    oc create ns <namespace>

oc project <namespace>
<!--NeedCopy-->

  2. Install the following operand CRDs.

    oc create -f https://raw.githubusercontent.com/netscaler/netscaler-k8s-ingress-controller/master/deployment/operator/netscaler.com_netscalergslbcontrollers.yaml

oc create -f https://raw.githubusercontent.com/netscaler/netscaler-k8s-ingress-controller/master/deployment/operator/netscaler.com_netscalercloudcontrollers.yaml
<!--NeedCopy-->

  3. Update the namespace in rbac.yaml to the one created in step 1 and then install the rbac.yaml file.

    oc create -f rbac.yaml
<!--NeedCopy-->

  4. Install the manager.

    oc create -f https://raw.githubusercontent.com/netscaler/netscaler-k8s-ingress-controller/master/deployment/operator/operator_manager.yaml
<!--NeedCopy-->

Now, NetScaler Operator is ready. Install NetScaler Cloud Controller using the YAML available in step 10 of the Steps to deploy NetScaler Cloud Controller instance section.

Deploy NetScaler Cloud Controller using NetScaler Operator
August 16, 2024
Contributed by: 
C
August 16, 2024
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.